2
Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim from IPv4 to IPv6 Conclusion

3
Fast-propagate Worms VS IPv6 (1) Facts – Almost all fast-propagate worms use some form of Internet scanning – The larger address space is, the less efficient scanning is – IPv6 has a huge address space Optimistic vision – Worms may experience significant barriers to propagate fast in IPv6

4
Fast-propagate Worms VS IPv6 (2) Facts – Some design features of IPv6 automatically decrease its huge address space – A variety of techniques can be employed by a worm to improve its propagation efficiency – Other progress of the future Internet can eliminate the current bottleneck of worms’ fast propagation Pessimistic vision – Fast-propagate worms will remain one of the main threats to the Internet in IPv6

5
Motivation Importance – Since IPv6 is the basement for next generation Internet, it is important to see whether its huge address space really makes it immune to fast-propagate worms Usefulness – There is still sometime for IPv6’s widely deployment, so design changes are still possible Worthiness – There still has not been comprehensively analysis of fast- propagate worms in IPv6

6
Goal IPv6 design features analysis – Identify the bad design choices and design tradeoffs that speed up worms’ propagation – Figure out what modifications can prevent them from being taken advantage of Possibility of fast-propagate worm in IPv6 – Based on a reasonable IPv6 design, can a worm still compromise all the vulnerable hosts even before human actions are ready to taken? The achievement of both goals are interleaved in the project

7
Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim From IPv4 To IPv6 Conclusion

10
Sapphire in IPv4 Both the results from the formula and simulations match the real data collected during Sapphire’s spread – the infected population doubles in size every 8.5 (±1) seconds and scanning rate reaches its peak within 3 minutes

11
Sapphire in IPv6 We assume Sapphire spreads in a /64 IPv6 sub-network, which is the smallest sub-network in IPv6 – it will take 30 thousand years to compromise most of the vulnerable hosts

12
IPv6 Is Keeping Ahead If IPv6 is perfectly designed If no other techniques can speedup worms’ propagation – Fast-propagate worm is impossible in IPv6

13
Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim From IPv4 To IPv6 Conclusion

15
Taxonomy Based On RCS Model A variety of IPv6 design features and scanning techniques can speedup worms’ propagation in IPv6 Most of their effects can be mapped to the four factors of RCS model Some of them can not be fitted into RCS model – RCS model should be extended or simulations should be done

20
Increase The Total Vulnerable Population: N The effect of doubling N equals the effect of doubling r Blaster targeted a vulnerability in core Windows components, creating a more widespread threat than the server software targeted by previous network-based worms, and resulting in a much higher density of vulnerable systems According to IDC, Microsoft Windows represented 94 percent of the consumer client software sold in the United States in 2002

21
Reduce The Real Address Space: P (1) Subnet scanning – focus on a /64 IPv6 sub-network The standard method of deriving the EUI field of IPv6 address from the 48-bit MAC address – further reduce the address space to 48 bit Assume a Gigabit Ethernet – 300,000 scans per second

22
Reduce The Real Address Space: P (2) Densely allocated IPv6 Addresses – may reduce the real address space to 32 bit or even 16 bit, which means a few seconds are enough for the worm to compromise all the vulnerable hosts Analysis of IPv6 design features – The auto-configuration design feature of IPv6 scarifies 16 bit address space in the EUI field, which can dramatically speedup worms’ propagation – a new design choice which allows auto-configuration while maintaining the whole address space – Addresses should never be allocated densely in IPv6 – a random distribution can take advantage of the whole address space

23
Increase The Initially Infected Hosts: I 0 (1) Due to the annoying length of the 128-bit IPv6 address, every host in IPv6 networks may have a DNS name. So a DNS attack can reveal many host addresses Assume 1,000 initially infected hosts

24
Increase The Initially Infected Hosts: I 0 (2) Analysis of IPv6 design features – Assignment of a DNS name to each host make the 128-bit IPv6 address tolerable, but it increases the harm of a DNS attack – Not only public servers, addresses of normal hosts can also be revealed in a DNS attack – Safe DNS servers are critical in IPv6 to prevent fast worm propagation

26
More Practical Scenario (2) By taking advantage of the IPv6 design features and scanning mechanisms which can be fitted into RCS model, a couple of days are needed to infect the whole sub-network Not fast enough – can only compromise 20% of vulnerable hosts within a day

29
Topological Scanning (3) Extension of RCS_EX1 model – Assume a hybrid worm, which can reveal host addresses from all machines it touches but only control a portion of them via another vulnerability – RCS_EX2_1 model – DNS cache is updated when a host is touched more than once – RCS_EX2_2 model

30
Topological Scanning (5) F’ – Number of addresses updated when a host is touched again, assume it is 10

34
Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim From IPv4 To IPv6 Conclusion

35
Things To Be Taken Care Of During Interim Never use easy-to-remember IPv6 address – It is common to derive IPv6 address directly from IPv4 address when a IPv4 network is newly updated to a IPv6 network – This easy update limits real IPv6 address space to the original IPv4 address space IPv6 networks are not isolated when most of the Internet is still IPv4 – 6to4 automatic SIT tunnel (2002::/16 prefix) enables IPv4 hosts to connect to IPv6 networks (such as 6Bone) without external IPv6 support – Gate ways are established for communication among three global prefixes (2002::/16 for 6to4, 2001::/16 for Internet6, 3fff::/16 for 6Bone) – Many current operation systems support 6to4 SIT autotunnel

36
Outline Introduction Performance Of Current Worms In IPv6 Speedup Of Worms’ Propagation In IPv6 Interim From IPv4 To IPv6 Conclusion

37
Fast-propagate worm is definitely possible in IPv6, at least in /64 enterprise networks Factors that speedup the propagation – A variety of scanning techniques, some of them are theoretical and have not been found in the wild nowadays – Bad design choices in IPv6 – can be eliminated easily Densely allocated IPv6 addresses Easy-to-remember IPv6 addresses – Tradeoffs in IPv6 design – can hardly be eliminated unless innovative methods are developed to meet both requirements in a tradeoff Derivation of 64-bit EUI field from 48-bit MAC address Each host has a DNS name